Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 9 Sep 2010 13:12:14 -0400
From: Charles Weir <>
Subject: Attacking Windows-ALT chars in LM Hashes

I apologize if this has been asked, (and answered), before, but every
once in a while I run into a LM hash that was created using one of the
ALT characters in Windows, (aka holding down the ALT+4 digits). I'm
currently trying to figure out the best, (or a least several
different), ways of attacking these passwords. The following webpage
has an example of some of the more commonly used ALT characters:

Now, there's always Dumbforce mode:

But I would like to do something a little smarter, (plus I don't even
have close to the computer power to crack the first 7char half using
dumbforce). So far, here's where I'm at:

1) While I love incremental mode, this isn't really the way to go. I
don't have enough passwords using ALT characters to train on, and I
would have to pair it with an external mode to ensure each guess
contained at least one ALT character.
2) I could certainly modify dumbforce/or knownforce mode to target a
limited range of the most commonly used ALT + normal characters. I
guess my biggest question then is what numerical values do the ALT
characters correspond to? aka is ALT-0142 represented as a character
with value 142 in Windows, or is it encoded some other way?
3) As a similar question, I remember reading somewhere that LANMAN
doesn't handle certain ALT characters, (in which case you would only
end up with NTLM hashes). Does anyone have a list of the allowed ALT
characters? Also does Windows LM capitalize ALT characters like
ALT-0228 which is the lowercase a with the umlaut?
4) Is there a way to include these ALT characters in John's wordlist
rules? For example, I'd like to have a rule sa"ALT-0288", which would
replace 'a' with the ALT-0228 character. I guess what I'm trying to
say is if there is a way to specify the hex value of a character vs
just typing it in the config file.

Now I'll freely admit, not many people use ALT characters, but when I
do run across an 'Unbreakable' LM hash I'd love to have a few tricks
up my sleeve to deal with it. Also, if they are using a different
codepage encoding, (instead of using ALT characters), that opens up a
whole new can of worms. Any other suggestions/tips/tricks on dealing
with these would be greatly appreciated, (I saw a few posts on how to
include non-English characters, but nothing on how they interact with
LM hashes).

Finally on a somewhat unrelated note, is there any easy way to search
throught the mailing list archive. I've looked through the selected
posts on the wiki, and found the actual mailing list archie at, but I was wondering if
there was a search option, since I really doubt I'm the first person
to run into this problem and I hate spamming the list with questions
that have already been answered.

Matt Weir

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.